Good heavens, is it time to patch Cisco kit again? Prime Infrastructure root privileges hole plugged... Better be careful or the US Administration will ban them next as a security risk
Among a bumper crop of 57 security issues Cisco divulged on Wednesday was a fix for a trio of vulns, one critical, in networks management tool Prime Infrastructure. The latter potentially allows unauthenticated miscreants to execute arbitrary code with root privileges on PI devices.
The updates come just two days after the firm copped to a secure boot flaw in its routers that has been dubbed (pronounced Thrangrycat) by those who discovered it.
It has also been just a few months since a pile of patches addressed roughly similar problems, including a slack handful of remotely rootable vulns in Hyperflex. Over the years El Reg has written time and again about severe and critical problems with PI, including a SQL injection nasty and a method of obtaining root privs through a malformed HTTP POST request, among many others.
In the past, we do know that similar vulnerabilities that were discovered (by another large US company) used to delay their public announcements so that their own government could exploit them on foreign soil. Hopefully, that practice has died out as I'm sure any US multinational company today would not play that game and risk being banned... It's just that Cisco has had so many vulnerabilities discovered sometimes for many consecutive months in a row. If I was a smaller company/government I'd feel a bit worried about what I don'yt know.
See www.theregister.co.uk/2019/05/…
#cisco #security
source https://squeet.me/display/962c3e10-245c-e05c-eddb-f4d880258871
The updates come just two days after the firm copped to a secure boot flaw in its routers that has been dubbed (pronounced Thrangrycat) by those who discovered it.
It has also been just a few months since a pile of patches addressed roughly similar problems, including a slack handful of remotely rootable vulns in Hyperflex. Over the years El Reg has written time and again about severe and critical problems with PI, including a SQL injection nasty and a method of obtaining root privs through a malformed HTTP POST request, among many others.
In the past, we do know that similar vulnerabilities that were discovered (by another large US company) used to delay their public announcements so that their own government could exploit them on foreign soil. Hopefully, that practice has died out as I'm sure any US multinational company today would not play that game and risk being banned... It's just that Cisco has had so many vulnerabilities discovered sometimes for many consecutive months in a row. If I was a smaller company/government I'd feel a bit worried about what I don'yt know.
See www.theregister.co.uk/2019/05/…
#cisco #security
source https://squeet.me/display/962c3e10-245c-e05c-eddb-f4d880258871
Comments